37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4

Analysis

max time kernel
152s
max time network
172s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe
Size

302KB
MD5

21db727d01543e455498540cd1bc783c
SHA1

919f462edf03fc81c8bc427d80e6f478149e2f8b
SHA256

37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4
SHA512

5f04d6e8387f5594ae95efdeebb0139766c1dad745b5b33e874e5484cfefc04742422ebdc547f98601903799f9c69c60e7dc97cf7762249d9ff8f1e33dc3f378
SSDEEP

6144:v6DPnPsHhCLm0JvwdZyaHZ7WjUb39eCGhWhku/rhxameKLhPMEY8Rpdt6+:vAPnPP/YZyaHZ7Uk38fhW6u/emeKllY2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
956	witoi.exe

Deletes itself 1 IoCs

pid	Process
328	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe
1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Witoi = "C:\\Users\\Admin\\AppData\\Roaming\\Cepeag\\witoi.exe"	witoi.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	witoi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe
956	witoi.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 956	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	28
PID 1976 wrote to memory of 956	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	28
PID 1976 wrote to memory of 956	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	28
PID 1976 wrote to memory of 956	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	28
PID 956 wrote to memory of 1128	956	witoi.exe	18
PID 956 wrote to memory of 1128	956	witoi.exe	18
PID 956 wrote to memory of 1128	956	witoi.exe	18
PID 956 wrote to memory of 1128	956	witoi.exe	18
PID 956 wrote to memory of 1128	956	witoi.exe	18
PID 956 wrote to memory of 1180	956	witoi.exe	17
PID 956 wrote to memory of 1180	956	witoi.exe	17
PID 956 wrote to memory of 1180	956	witoi.exe	17
PID 956 wrote to memory of 1180	956	witoi.exe	17
PID 956 wrote to memory of 1180	956	witoi.exe	17
PID 956 wrote to memory of 1212	956	witoi.exe	16
PID 956 wrote to memory of 1212	956	witoi.exe	16
PID 956 wrote to memory of 1212	956	witoi.exe	16
PID 956 wrote to memory of 1212	956	witoi.exe	16
PID 956 wrote to memory of 1212	956	witoi.exe	16
PID 956 wrote to memory of 1976	956	witoi.exe	14
PID 956 wrote to memory of 1976	956	witoi.exe	14
PID 956 wrote to memory of 1976	956	witoi.exe	14
PID 956 wrote to memory of 1976	956	witoi.exe	14
PID 956 wrote to memory of 1976	956	witoi.exe	14
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29
PID 1976 wrote to memory of 328	1976	37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe	29

C:\Users\Admin\AppData\Local\Temp\37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe
"C:\Users\Admin\AppData\Local\Temp\37463e5cd515fafd518907c2ed2fb39d61746510b9af2695e96827966688ebd4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\Cepeag\witoi.exe
  "C:\Users\Admin\AppData\Roaming\Cepeag\witoi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\MPIDAEF.bat"
  2⤵
  - Deletes itself
  PID:328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MPIDAEF.bat

Filesize
303B

MD5
f5b0aa63736429ee351045c19a1a94d8

SHA1
69a544a20a3f4dac19f827db4fe6298e62685722

SHA256
7ba137fa9a3ad84f8605519557c097af3f444812068b1b84a4f12aa0a57a3698

SHA512
880de8a7975525b26c6f210bdf762ecefe54e50503d224a6c5270c598e8f619de30b58544d84cfa4344353ea657fef13e729f20b6acf63d2f01ec0735b615723

Download Submit
C:\Users\Admin\AppData\Roaming\Cepeag\witoi.exe

Filesize
302KB

MD5
c24d674bc49400b2be6ac1ca5389b026

SHA1
737577b8bfd3096d3e7c3a8b91a090972cf50122

SHA256
7f322e8873b24726e0b3e04e561c3e3ce94b438cdf8f17a117d7ef132359fd00

SHA512
bf7d907b217fc1015a7ccaca886eaf49c0cf3d18847bb42a9f8fd3b2c1af39e5a58ecd3ee58db33c1cb5c82db1ae4ce658e17d8acfa359d28028d39603a29c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Cepeag\witoi.exe

Filesize
302KB

MD5
c24d674bc49400b2be6ac1ca5389b026

SHA1
737577b8bfd3096d3e7c3a8b91a090972cf50122

SHA256
7f322e8873b24726e0b3e04e561c3e3ce94b438cdf8f17a117d7ef132359fd00

SHA512
bf7d907b217fc1015a7ccaca886eaf49c0cf3d18847bb42a9f8fd3b2c1af39e5a58ecd3ee58db33c1cb5c82db1ae4ce658e17d8acfa359d28028d39603a29c4c

Download Submit
\Users\Admin\AppData\Roaming\Cepeag\witoi.exe

Filesize
302KB

MD5
c24d674bc49400b2be6ac1ca5389b026

SHA1
737577b8bfd3096d3e7c3a8b91a090972cf50122

SHA256
7f322e8873b24726e0b3e04e561c3e3ce94b438cdf8f17a117d7ef132359fd00

SHA512
bf7d907b217fc1015a7ccaca886eaf49c0cf3d18847bb42a9f8fd3b2c1af39e5a58ecd3ee58db33c1cb5c82db1ae4ce658e17d8acfa359d28028d39603a29c4c

Download Submit
\Users\Admin\AppData\Roaming\Cepeag\witoi.exe

Filesize
302KB

MD5
c24d674bc49400b2be6ac1ca5389b026

SHA1
737577b8bfd3096d3e7c3a8b91a090972cf50122

SHA256
7f322e8873b24726e0b3e04e561c3e3ce94b438cdf8f17a117d7ef132359fd00

SHA512
bf7d907b217fc1015a7ccaca886eaf49c0cf3d18847bb42a9f8fd3b2c1af39e5a58ecd3ee58db33c1cb5c82db1ae4ce658e17d8acfa359d28028d39603a29c4c

Download Submit
memory/328-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-114-0x00000000000C0000-0x0000000000109000-memory.dmp

Filesize
292KB

Download
memory/328-98-0x00000000000C0000-0x0000000000109000-memory.dmp

Filesize
292KB

Download
memory/328-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-100-0x00000000000C0000-0x0000000000109000-memory.dmp

Filesize
292KB

Download
memory/328-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/328-102-0x00000000000C0000-0x0000000000109000-memory.dmp

Filesize
292KB

Download
memory/328-101-0x00000000000C0000-0x0000000000109000-memory.dmp

Filesize
292KB

Download
memory/1128-69-0x0000000001FE0000-0x0000000002029000-memory.dmp

Filesize
292KB

Download
memory/1128-65-0x0000000001FE0000-0x0000000002029000-memory.dmp

Filesize
292KB

Download
memory/1128-67-0x0000000001FE0000-0x0000000002029000-memory.dmp

Filesize
292KB

Download
memory/1128-68-0x0000000001FE0000-0x0000000002029000-memory.dmp

Filesize
292KB

Download
memory/1128-70-0x0000000001FE0000-0x0000000002029000-memory.dmp

Filesize
292KB

Download
memory/1180-76-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1180-73-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1180-74-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1180-75-0x00000000019C0000-0x0000000001A09000-memory.dmp

Filesize
292KB

Download
memory/1212-81-0x0000000002980000-0x00000000029C9000-memory.dmp

Filesize
292KB

Download
memory/1212-82-0x0000000002980000-0x00000000029C9000-memory.dmp

Filesize
292KB

Download
memory/1212-79-0x0000000002980000-0x00000000029C9000-memory.dmp

Filesize
292KB

Download
memory/1212-80-0x0000000002980000-0x00000000029C9000-memory.dmp

Filesize
292KB

Download
memory/1976-104-0x0000000000380000-0x00000000003C9000-memory.dmp

Filesize
292KB

Download
memory/1976-88-0x0000000000380000-0x00000000003C9000-memory.dmp

Filesize
292KB

Download
memory/1976-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-95-0x0000000000380000-0x00000000003D1000-memory.dmp

Filesize
324KB

Download
memory/1976-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1976-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1976-87-0x0000000000380000-0x00000000003C9000-memory.dmp

Filesize
292KB

Download
memory/1976-86-0x0000000000380000-0x00000000003C9000-memory.dmp

Filesize
292KB

Download
memory/1976-85-0x0000000000380000-0x00000000003C9000-memory.dmp

Filesize
292KB

Download
memory/1976-55-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1976-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download